This was going wel
The Most Deserving
that's not a unico
The Merge
The Marooning
Sinister
they too me home a
The Killing Fields
The Importance of
Fractured fairy ta

The Ocean's Surpri
The Power of One
The Princess
An example of lewd
Lewd conduct inclu
The Sole Survivor
The Tides are Turn
The Twist
The Underdogs
The Winds Twist
<<      >>
The last mile is complex, but there's no need to add to the complication with complex IT solutions. In this section we're going to explore three potential solution areas. ### Solution 1: Using a cloud solution If you have a web-based product and know what a web application firewall (WAF) is, or are not quite sure, you can use Amazon CloudFront and CloudFlare to set up two layers of protection. Basically CloudFront is like a CDN, which is like a DNS service that can help route customers to the best geographical location, which will give you the best response time in some cases, particularly if you are not based in the United States. CloudFront sits in front of your system and provides layers of protection for your site. CloudFlare is another way of protecting your web application, but does so using a DNS firewall solution. It sits between the client and your web application. ### Solution 2: Applying patches Many products are no longer maintained by the original creator; they are no longer actively supported. Instead, they're maintained by other companies who have an interest in the product as they are using it or have been affected by changes within the product that could make life more difficult for them. For instance, if you are using some popular open source software like the OpenSSL library, you will need to make sure you are paying attention to any updates released by the vendor. They are your first line of defense, but patches released by third-party providers and other security experts may help shore up your website's security. In certain cases, like if you are writing an application with high transaction volume that accepts payments and stores credit card information, you may want to talk to your customers about whether they can use a third-party provider to handle the transaction for you. If you are building a mobile application, you may want to apply patches to keep the users safe, especially if you have a buggy product that can open up to a vulnerability in some third-party library used by the mobile app. ### Solution 3: Finding appropriate vulnerabilities There is no easy way to secure yourself against any of these threats. No matter how good a security professional you are, you will still have some vulnerabilities in your product. I'm not going to discuss the types of things you need to be protecting yourself against. I think you can read some of the other books in this series to get a quick education on what you need to protect against. If you are using a proprietary or third-party library, make sure you are keeping up with its latest releases and patches. It is also helpful to maintain secure coding techniques in your application's source code. In this last section we've covered a lot of potential things that you can do to help protect your web application from DDoS, SQL injection, command execution, and more. Most of these items are not difficult, but are important to stay on top of for your website's security. I strongly recommend that you test the potential solutions I have suggested to see what works best in your application's scenario. You don't want to invest time, money, and effort into a secure system only to find out that your solution doesn't work. ## Summary We've covered a lot of ground in this chapter, and we're only at the beginning of our journey. We have explored the problem of application security as it relates to the web. We've also taken a look at the different types of malware that are attacking web applications, and what you can do to prevent these attacks from compromising your site. We've also discussed some potential attack vectors and potential threats for your applications. We also touched on some things you can do to help mitigate the effects of an attack if you need to scale up in the future. In the next chapter, we're going to talk about an extremely important topic: passwords and security. We're going to explore how to protect your applications and how to build them to help protect your business. © Troy Hunt 2015 Troy Hunt15 Rockwell Automation and DevOps Security Series10.1007/978-1-4842-1255-2_5 # 5. The Security Paradox Troy Hunt1 (1) Oxford, UK In Chapters 3 and , we discussed the need to secure applications on a website, in our case by implementing application firewall technology and by running applications behind a web application firewall (WAF). But there is a problem with these types of solutions. If you are an application or system administrator and you think you need to install an application firewall to protect your applications from threats, you will want to know how to do this so that you can protect your company's valuable intellectual property. From a business perspective, this means you will not be able to use these solutions because of the number of security professionals you will need to educate in your business. This is not a major issue for the application firewall, because it can be set up fairly easily by a user with a little web development knowledge and can be automated. However, you will find that using web application firewalls, WAFs, IDSs, and other security appliances are far more complicated to do this. If you're a system administrator, you may need to look at hiring someone to install and configure these solutions and you may not have the proper knowledge to do so. The alternative to setting up an application firewall is to use a cloud-based service and use something like Amazon CloudFront and CloudFlare, but most administrators will likely want something more robust than that. The last thing you want is a slow response times or even a broken website. With the proper integration, WAFs and cloud-based services can help you greatly. The other thing is that most developers don't have the proper training and background to understand and design an application firewall for you, or even an IDS for that matter. From a technology perspective, you don't want to spend too much time on any one solution. Instead, you will want to use services that support the technology your developers understand. From an admin perspective, they're more concerned about performance than security. Because of this you may need to develop a layered defense strategy. An IDS is a good place to start because it can be fairly easy for a developer to deploy and can protect against many attack vectors. But a WAF may not work for your business model, and a web application firewall can be deployed from the same vendor. In other words, most developers, as far as security goes, only care about the application and what information it exposes. They care little about the defense against a DDoS, SQL injection, or command execution. It would be simpler and more secure to only use a web application firewall and IDS to protect your application's data. In this chapter, we're going to continue our series of posts where we discuss the security paradox. We'll start by discussing the paradox and how it affects many small businesses and medium-size companies in the United States, Australia, the United Kingdom, Canada, and a number of other countries. We're going to look at the ways to defend against these threats and how security can actually make your applications more complex. We'll end the chapter with a discussion of what you need to do when you have to scale your applications in the future. ## Web Application Firewalls In this section we're going to explore what a web application firewall can do for your application and why it's important to use a layered security strategy. We will also discuss potential uses for a web application firewall. ### Using a web application firewall Web application firewalls (WAFs) are relatively easy to use and can also protect your web applications from other threats, such as command execution and SQL injection. A WAF sits in front of your web application and acts as a proxy server. It can be a good solution for companies that want to protect their applications. While we covered the basics of a WAF in Chapter 2, and also showed you how to set up CloudFront and CloudFlare, we're going to talk about WAFs from a development perspective in this chapter. I'll show you how to build your application to make use of a WAF. From a system administrator's point of view, a WAF can be extremely difficult to implement. First you need to know how to install it. If you're a small company with only one developer or one sysadmin, you may have the right skills to do that, but that's not the case for most companies. Many of the vendors who provide these tools actually provide help for business and system administrators in the form of how-to videos and other resources. Another option is to hire an expert to perform the installation and integration, but this is an expensive option for most companies. After you have a WAF in place, you need to use it. With a WAF, there is a lot of configuration involved. In most cases, this means you have to implement firewall rules to enable it to perform correctly. Some of these firewall rules can be in place on the vendor's side of the firewall, but many of them will need to be built into your web application code, and we'll discuss how to do this a little later in this chapter. As you can imagine, there is a very steep learning curve in using a WAF. This means that more often than not, the people who want to protect their applications will get someone in house to configure the WAF and integrate it into their applications. Then they'll have to educate these people on how to use the WAF and they'll need to monitor it. ### Advantages of WAFs Most businesses that are